Hackers Get Personal Info On 12-Million Apple Users... From An FBI Laptop

from the privacy-schmivacy? dept

Much of the debate over cybersecurity legislation like CISPA and the Cybersecurity Act focused on getting more private companies to "share data" with federal government agencies, including the FBI and the NSA. As we've pointed out time and time again, beyond the basic privacy rules that the bills tended to bulldoze through, any time you increase the sharing of private data, you're only making it that much easier for hackers to access that info because you're putting it in more places -- some of which will almost definitely be insecure. In other words, even though these bills were ostensibly about "protecting" from hack attacks, by increasing the sharing of data, they'd almost certainly open up new attack opportunities and make it easier for hackers to get info.

While neither bill passed (yet), the latest example of what happens when you have widespread data sharing comes from some Antisec hackers, who claim that -- in response to a presentation from the NSA's General Keith Alexander -- they wanted to probe the security of various government agencies, including the FBI. End result? They claim to have hacked into the laptop of FBI agent Christopher Stangl, who has appeared in recruitment videos for the FBI looking to hire "cyber security experts."

The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: "NCFTA_iOS_devices_intel.csv" which folks at Hacker News have pointed out likely refers to the National Cyber-Forensics & Training Alliance. According to its website, the NCFTA...

functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime. In an effort to streamline intelligence exchange, the NCFTA will often organize SME interaction into threat-specific initiatives. Once a significant online scheme is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with the affected parties, industry partners, appropriate law enforcement, and other SMEs.

In other words, it's almost exactly what we were told we needed CISPA to enable. In fact, during the CISPA debate, we specifically pointed to the NCFTA to ask why we needed CISPA, since something like that was already possible.

And now it seems to also be showing why CISPA or other similar legislation focused on increased "sharing" of info could actually put many more users at risk, rather than protect them. When the feds are careless with the info they receive from companies, it's going to get hacked. These kinds of things just put a giant target on their back, and now we're seeing the harmful results of such sharing without effective privacy protections.

Cyber-insecurity

What were the the feds doing with the personal information of 12 million iPhone users in the first place? Certainly they can't all be involved in cyber-crime. Looks to me like they were gathering data on huge numbers of innocent people without probable cause.

And I doubt it was for any "cyber security" purpose, either. How does having that info help that? It doesn't. What it *does* do is let them very quickly identify the owner of a cell phone the FBI suddenly takes an interest in for any reason, without having to go to a judge or even to Apple first after taking an interest in it. Sounds much more likely to be used to get around that pesky Fourth Amendment and track down accused drug dealers and terrorists.

Of course, the smart ones of those use burn phones purchased without a plan and loaded with prepaid minutes using anonymous cash transactions, so they a) won't have (non-phony) names and addresses in that data and b) would be using cheaper handsets anyway (no plan, no subsidy).

So, in short, the feds' data was useless for going after any real bad guys (though it could be very easily abused to harass random citizens), and it has now proved to be worse than useless for "cyber security" purposes.

Re:

So you don't think that having a massive amount of information that the NSA/FBI has NO REASON TO HAVE is part of the issue? Since when have 12.3 million iPhone users become the subject of a government investigation?

Re: Re:

Uh, no. The only way the Feds could have this data is for Apple to give to to them. And if some random Fed has it on their laptop, 1,000's of Feds have it on their laptops.

And that it came from the laptop of a Cyber-Security specialist is just over-the-top funny. While the data itself may not be considered especially sensitive (to the FBI, anyway), they neglected to consider the sensitivity of the fact that they have the data at all. FAIL and FAIL.

Re: Re:

Re: Re:

12.3 million usernames and passwords in the hands of the US government (and now lost)? Odds are 50-50 that Apple had something to do with this. The options are; Apple gave the passwords up freely, or the government hacked into Apples servers.

Ether way, 12.3 million usernames and passwords suggest that the NCFTA isn't about teaching, nor is it about mitigating cyber crime.

Re: Re: Re:

"is just over-the-top funny"

I wouldn't really qualify it as funny by ether definition. I would qualify it as horrifying. If they have millions of usernames and passwords from Apple, they probably also have millions from Android, Windows Mobile, and Blackberry. It's only a matter of time before those get leaked. The US government is not a secure system.

It's Not for Spying on You

The FBI already has already has all your personal information and has had for many years...it's called a Driver's license.They also have access to all your Bank, IRS, Employment, Medical and Social Security records.
So find out what your up to or to track you is not the issue...they can easily get your mobile# and track you whenever they want.All law enforcement can.
Why they would need this much info on a laptop is anybody's guess.
Perhaps it's a list of naive young men that they can convince to join in a terrorist plot.

Re: Re:

I don't see the acronym NSA in "FBI Laptop". However, collecting this amount of data from 12.3 million users is wrong, but it wasn't the NSA who kept it in an insecure location. They weren't responsible for the FBI's lack of competence. Why does the FBI have this info? It's their job to filter through the data on the NSA computers.
Whether we like it or not, the NSA computers collect everything coming in and out of the country. The FBI chooses to extract whatever data they want under an ad-hock warrant approved by an even more incompetent DOJ.

Re: Re: Re:

It was data collected by the NSA computers and not given by Apple. Apple requires users to have a connection to the Internet to register on their site in order buy their products. All of this was monitored by the NSA's computer system (which picks up all incoming and outgoing traffic) from which the FBI "organizes" lists without thought or due process from the DOJ.

Re: Re: Re: Re:

"Why apple? The telcos can probably pull this and have demonstrated their propensity to roll over for the feds."

While it may be possible for the telcos to hack their way into someone's phone and steal their password, it's far more likely that 12.3 million usernames and passwords came from one central source; Apple.

If we find out that all those usernames and passwords come from just one telco, then you would be right. If that is the case, then a boycott isn't just justified, it's required for reasons too long to get into without knowing for sure.

Shiny New Legislation

Soo... every time someone proposes one of these terrible new laws that gives the Government the authority to do something we're pretty sure the people don't want the Government doing, there's someone at a federal agency going "shutup-shutup-shutup", because they're already doing it.

This means we MUST make CISPA even stronger! We must remove ALL privacy protections from it, and government MUST be able to know EVERYTHING, including what you eat, and even where you breath air from!

But adding new cyber security regulations on private business or the government, even voluntary guidelines? NO WAY! That's how you KILL FREEDOM!!! Do you want freedom of American businesses to die! That's what will happen if we try to stop private businesses from leaving your personal info laying around where any hacker can steal it!

Besides, if anything goes wrong after CISPA passes we can always just blame the government! Everyone likes blaming the government!

Sorry to question this whole thing, but wouldn't it make sense that this office have access to information that might have been stolen to begin with?

Just because they were "hacked" doesn't mean they didn't recover the information during an investigation.

We certainly don't have enough information to make a judgement as to why the information was in the possession of the agency/FBI. Heck - maybe he's the hacker?!?

I'd be interested to know if this hacking occurred through a govt network or some other network. If the laptop doesn't leave the office (in many jobs these days, the computer issued is a laptop regardless of whether you get to take it home), then the network is compromised and an individual agent might not be to blame. If the laptop does leave the office and isn't physically compromised, then there might a problem with VPN security. If the agent is using the laptop inappropriately and exposing it to network or other threats, then it's a different issue.

"...given the number which is no where near how many iOS devices exist, and given Apple banned developers from using those IDs over 6 months ago, something makes me suspect the FBI was getting the IDs passed on to them from a shady app developer who was using the IDs to identify specific iOS devices who installed the app."

I don't know enough about Apple products to add much myself. However, isn't it broadly known that their app ecosystem is insecure enough that it could have been a very minor player acting poorly, rather than anyone major?

Re: Re: Re: Re: Re:

Just say'in, there are no passwords. just UDIDs and personal information which is usually put into phones to identify who owns it. Where I want to blame apple, this information is easily gotten by Telcos.

Re: Re: Re:

Sorry, wasn't logged in up there. Just a theory here, but the way I see it, the NSA only collects data regardless. It is majorly disorganized because new information comes in condtantly, so the FBI orders the data they need collected. It is sent over lines that are filtered throught their computers to the FBI's system. The data for these users was flagged so by the incompetence of the FBI and DOJ, the "warrant" was "issued" and certain data types were collected from the unorganized mess of data stored on the computers at the NSA.

FBI agent stores it on an insecure, unencrypted location (a laptop) and the data is stolen.

So Apple had nothing to do with handing any data over. As an Apple user myself, I can tell you that you have to have an Internet connection to register your device. Since the NSA computer system collects everything under the sun that is transmitted through the Internet, their computers got this information.

Re:

Re:

If you read they article, the Hackers stated that they used a security hole in Java, I believe, to get into the FBI agent's computer. The fact that he got hacked (despite being a Cyber security expert for the FBI) means nothing to me. Everyone gets hacked. The fact that he stored sensitive information on a computer which is the number one thing you learn NOT to do when you learn to be a Computer Security person is where I cry inside. He, of all people, should have known not to have that file on his computer at all. It is things like this that make people lose the faith in the government because the people WHO SHOULD KNOW BETTER and get paid to know better, don't and yet nothing happens to them because they are the government.

Re: Re: Re: Re: Re: Re:

The personal information such as UDID's and credit card info are sent in data packets through the NSA computer system where the FBI sifted through to get it. This data is transmitted over the Internet and therefore does in fact get filtered though the NSA where the FBI can set flags to catch certain sets of data to collect.

What bothers me most though is that the NSA didn't find collectimg this amount and type of data unethical.

I know what UDID last summer.

Re: Re: Re: Re:

I think it's far more probable that Apple handed the data over. Even if they did not, though, the scenario you described above makes Apple look even worse, as that would mean they suffered a direct failure of security rather than an intentional release.

Re: Re: Re: Re:

I disagree.
While this to some is funny haha, it also is a prime example of funny utoh. None of them are pleased they have the data, but there is sheer joy to be found in them getting caught spying on citizens (AGAIN) and proving it with epic failure.

I await the PR spin trying to clean this up, the calls for "investigations" that will result in not a damn thing happening to stop this. The only way it will stop is when they start putting the files on what Congresscritters are doing and publishing those, then it will be of great concern and require action to reign them in.

Someone we pay to be an expert and protect us is a moron.
They were hired by people who are supposed to make sure we have the best, we sure as hell pay enough for the very best and what we got it someone who obviously took a weekend course to be "certified".

The problem is and continues to be the inability of the Government to move forward, like the cartels, in a logical way instead waiting for the next headline and knee-jerk overreactions.

iPwnd...

Re: Re: Re: Re: Re:

They collect data from everywhere so it can be assumed its rather unorganized.

My mind is terribly anylitical and I figured that if I were to collect data using some of the most powerful computers in the world from all over the world at once, it would be quite disorganized and you would HAVE to program in a set of flags for certain bits that you desire.

That being said, knowing full well wasn't Apple who gave it away, why did the FBI have all that data on 12.3 million users a) in one location and b)how did they get the data without a court order?